[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Human-friendly olcAccess management

To: openldap-technical@openldap.org
Subject: Re: Human-friendly olcAccess management
From: Harry Jede <harry.jede@arcor.de>
Date: Sun, 22 Nov 2015 13:28:43 +0100
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=arcor.de; s=mail-in; t=1448195325; bh=AOWXnVoRU0iD7OuLcp7c6+KQjDWQVGNqRz+2Uf6+j34=; h=From:To:Subject:Date:References:In-Reply-To:MIME-Version: Content-Type:Content-Transfer-Encoding:Message-Id; b=LlEhnISbRH9ZXp4bXfFsZA5t2ST9O9JhyQtxoTfPidurjJpgnQbjK4FcARJEiOPCE 65aGM0u0m5uc5OMkAH6xHOfLmJTnrdJRkLi00gkNxNYnBaihzQ1sDivMaKHj64nf9S VrAJ96PfVQQY4qB5vKmltVn7kLr1efM/QYV096HU=
In-reply-to: <CAO+XWgk92yJi3X3OQ1UM8pc4DnxADE1X_yTjLbU9eeCtfUwLyg@mail.gmail.com>
References: <CAO+XWgk92yJi3X3OQ1UM8pc4DnxADE1X_yTjLbU9eeCtfUwLyg@mail.gmail.com>
User-agent: KMail/1.13.7 (Linux/3.16-0.bpo.3-amd64; KDE/4.8.4; x86_64; ; )

Bogdan Rudas wrote:

> Hello all,

> I would like to start use of olcAccess rules, are there

> human-friendly editor for that ACLs?

Use any editor you wish. It is just text!

> I can't even use line breaks in ldif file to make my restrictions a

> bit more readable!

One can use line breaks, no problem. But understanding ldif file

syntax is important.

Often one have very long lines in ldif files.

A standard terminal has a width of 80 characters. Longer lines get

broken at charakter 78. 79 charakter is a newline "\n", 80 character

is one space " ". So the output you get looks like this:

line no text

1 "78 byte" + "\n"

2 "one space" + "next 78 bytes + "\n"

3 "one space" + "next 78 bytes + "\n"

This happens during a ldapsearch operation. If you upload this

ldif to a ldapserver these two bytes "\n " will be removed.

Conclusion:

One may add a newline to a ldif file by adding two characters

"\n + space". You may add as many newline you wish.

i.e.

open

becomes "openlap" after opload.

open

becomes "open l ap" after upload

> I strongly dislike very long string values, one

> day this will cause mistake and access violation.

> I've tried with Apache DS, ldif import and few puppet modules,

> everything require huge line ACL.

No, not really. They just require proper formated ldif input.

man ldif, section "ENTRY RECORD EXAMPLE", attribute jpegPhoto

> Any help will be welcome.

read this thread:

http://www.openldap.org/lists/openldap-technical/201402/threads.html#00105

here is a small filter which may help you:

# cat $(which fmt_olcAccess)

#!/bin/sed -rf

# Author: Harry Jede

# produce human readable but still machine parseable

# olcAccess lines and removes the ordering numbers in {}

# because humans don't need them, really.

# the hole script

s/^(olcAccess: )\{[[:digit:]]+\}(.*$)/\1\2/

$!{H;d}

${H;g;s/\n //g;s/[[:space:]]+by /\n by /g}

info sed explains the commands

in short

line 1: removes the ordering numbers

line 2: concatenate all lines into hold buffer

line 3: move hold buffer back to pattern buffer

s/\n //g delete any occurance of "\n "

finally search for " by" and add a

ldif line break in front of " by"

Harry Jede

References:
- Human-friendly olcAccess management
  - From: Bogdan Rudas <brudas@exadel.com>

Prev by Date: RE: Getting around the single-threaded syncrepl model?
Next by Date: Re: Trying to set up multimaster syncrepl, error attribute 'olcTLSCertificateFile' not allowed , why?
Index(es):
- Chronological
- Thread